As delineated in a previous client advisory, the Federal Communications Commission ("FCC" or "Commission") has adopted rules which, among other things, require all voice service providers ("VSPs") with STIR/SHAKEN requirements to obtain SPC tokens, and ensure that all their calls are signed with their own STIR/SHAKEN certificates, not that of a third party (i.e. the "Third Party Rule"). The underlying Eighth Report and Order ("R&O") lists the compliance deadline as "30 days after publication of this Report and Order in the Federal Register following OMB approval, or 210 days after release of this Report and Order, whichever is later." As stated in a recent FCC Public Notice, the R&O was published in the Federal Register on August 19, 2025, which means that the effective date of the Third Party Rule is September 18, 2025.
A lot of misinformation has, intentionally or unintentionally, been disseminated over the past few months about the Third Party Rule, mainly concerning which types of VSPs are subject to same. The Commission states that the only carriers affected by the new rule are VSPs with STIR/SHAKEN implementation requirements. The three categories of carriers subject to STIR/SHAKEN requirements are:
- VSPs that originate calls.
- Non-gateway intermediate VSPs that carry or process calls without originating or terminating them.
- Gateway VSPs that receive calls from foreign originating or intermediate providers at their U.S. facilities and transmit them downstream.
VSPs that fall into one of above-listed categories must control the facilities necessary to implement STIR/SHAKEN (e.g., soft switches, platforms, PBXs, SIP trunks, etc.) in order to be subject to the STIR/SHAKEN rules. VSPs that do not control the necessary facilities are exempt from STIR/SHAKEN implementation requirements and are not affected by the Third Party Rule.
Further, the Third Party Rule permits VSPs that have STIR/SHAKEN implementation requirements to outsource the technological act of signing the calls to a third party, as long as the calls are signed using the VSP's own STIR/SHAKEN certificate (not that of the third party), and the VSP makes its own attestation level decisions for authenticating caller ID information.
The FCC requires that any VSP that arranges for a third party to perform the signing must do so pursuant to a written agreement. Among other things, such an agreement must stipulate that: (a) the calls will be signed with the VSP's own certificate; (b) the third party is only performing the act of digitally signing the calls; and (c) the VSP will make the attestation level decisions. Parties to a third party signing agreement must keep that agreement in their records, in order to provide it to the FCC upon request.
Some service providers and other entities have stated that all VSPs are required to become fully STIR/SHAKEN compliant and sign their own calls with their own certificates. That is incorrect. The R&O clearly states that only VSPs subject to STIR/SHAKEN compliance are required to obtain a token and sign their own calls (with or without a third party performing the mechanics).
Unfortunately, some upstream service are erroneously informing their VSP customers that are exempt from STIR/SHAKEN compliance that they must become STIR/SHAKEN compliant and commence signing their calls with their own certificates. A few of those carriers are also threatening to stop providing A-level attestations for calls they originate on behalf of exempt VSP customers if they do not cave to their "internal policies." Those carriers incorrectly assert that carriers that cannot become STIR/SHAKEN compliant must do so anyway, referring to them as "unwilling" to sign their own calls, and offering them access to "portals" where they can load their tokens and certificates to sign their own calls.
The fact is that no VSP that is exempt from STIR/SHAKEN requirements is required to become STIR/SHAKEN compliant (i.e., obtain its own token and certificate) and engage in call signing. All upstream carriers that have STIR/SHAKEN obligations are required to continue attesting calls at A-level when appropriate. If an upstream carrier attests calls at lower levels, their VSP customers' businesses could be harmed because lowering the attestation level would, among other things, make their calls more likely to be blocked by analytics engines. Consequently, exempt VSPs should inform their upstream providers of their exemption status and refuse to accept lower attestation rates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
